[Opendnssec-develop] DNS adapters configuration
Matthijs Mekking
matthijs at NLnetLabs.nl
Tue Sep 13 08:10:38 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/08/2011 12:31 PM, Matthijs Mekking wrote:
> Hi,
>
> From the notes:
>
> work has started on the DNS adapters (as opposed to file
> adapters). some ideas on configuration, but work needs to be
> done on zonefetcher to allow more flexibility.
>
> The idea is to completely deprecate the zone fetcher. In the future,
> people can use the DNS adapters. The zonefetch.xml currently does
> inbound zone transfer and can handle only one master for all zones. In
> order to provide more flexibility for per-zone configuration, I think
> the files should be split up. One file is needed when setting up the
> engine (which address do I listen to?), the other file lists the acl.
>
> The proposed files can be found here:
>
> branches/OpenDNSSEC-adapters/conf/addns.rnc
> branches/OpenDNSSEC-adapters/conf/addns.xml.in
> branches/OpenDNSSEC-adapters/conf/addnsconf.rnc
> branches/OpenDNSSEC-adapters/conf/addnsconf.xml.in
>
> In the conf.xml you have:
>
> <Adapters>
> <Adapter type="DNS">
> <ConfigurationFile>addns.xml</ConfigurationFile>
> </Adapter>
> </Adapters>
>
> This tells the signer engine that there will be DNS adapters that need
> to be initialized. The configuration of the adapter is just a list of
> one of more interfaces that are listening to incoming notifies and zone
> transfer requests.
>
> start = element Adapter {
> # Type of adapter
> attribute type { xsd:string },
> # where to listen for notifies and zone transfer requests
> element NotifyListen { localAddress }*
> }
>
> ipv4 = element IPv4 { xsd:string }
> ipv6 = element IPv6 { xsd:string }
> port = element Port { xsd:positiveInteger { maxInclusive = "65535" } }
>
> localAddress = (ipv4 | ipv6)?, port?
When thinking about Dynamic Update Adapters, you would typically listen
for update messages on the same interface as you would expect zone
transfer requests and notifies. Perhaps we don't need Adapter
configuration in conf.xml, and we can put a list of <NotifyListen>s
directly in the <Signer> block in conf.xml.
Best regards,
Matthijs
> In the zonelist.xml you can have something like:
>
> <Adapters>
> <Input>
> <Adapter type="DNS">acl.xfr</Adapter>
> </Input>
> <Output>
> <Adapter type="DNS">acl.xfr</Adapter>
> </Output>
> </Adapters>
>
> The acl.xfr file contains tsig, master and slave address and such. The
> syntax is as follows:
>
> start = element Adapter {
> # Type of adapter
> attribute type { xsd:string },
>
> # inbound zone transfer settings
> element Inbound {
> # what TSIG secret to use
> tsig?,
> element RequestTransfer { remoteAddress }*,
> element AllowNotify { remoteAddress }*,
> },
>
> # outbound zone transfer settings
> element Outbound {
> # what TSIG secret to use
> tsig?,
> element ProvideTransfer { remoteAddress }*,
> element Notify { remoteAddress }*,
> }
>
> I don't know if and how to fit in tunings for zone transfers like axfr
> only, udp only. Do we need to have that? If so, is that on a per zone
> basis or a per host basis?
>
> Best regards,
> Matthijs
>
>
_______________________________________________
Opendnssec-develop mailing list
Opendnssec-develop at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJObw/+AAoJEA8yVCPsQCW5r90H/jDTEMbze4psWPeAfyeaz/k8
pEf56aTH8m6Gp5YGuWXi/ffsBmSckXYnSmzUIPsIqkO/ojixO9iyZyO41vJASL3s
rnpVhBAzlVXYytZBJna1tq/NPZ48nN8WdRhZSjoDLXFEfA8Le/LTUVrTW8pjnsp7
FmRpecI4r/xB68n7YQLs7nWl8k9HxmQb8l2dEkOH8VJ0LF3og57OiUHBZX7sZXVh
W00xqKK9J4VXJQUocadi2XetCAYl9pG3mpQid7xgosxebnHJWiUz54MVnwp7ZrWF
ETXzyG1SpKdZaGgvv1lg/pvZV5xmsAuOA77jP/uleuvdAQbUlLmU3MVH1W5EnOc=
=DVrG
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list